Secure Key Management

1. A computer implemented method for secure key management, comprising: creating, by a computer processing unit of a computer, the computer comprising the computer processing unit and a memory, a token and populating a payload section of the token with key material; selecting a wrapping method from a plurality of supported wrapping methods that specifies how the key material is securely bound to key control information, wherein a structure of the key control information in the token is independent of the wrapping method, and wherein the plurality of supported wrapping methods comprises advanced encryption standard key wrap (AESKW), Rivest Shamir Adelman (RSA) with Optimal Asymmetric Encryption Padding (OAEP), data encryption standard (DES), Elliptic Curve, and message authentication code (MAC); and wrapping the key material and binding key control information to the key material in the token, wherein the key control information includes information relating to usage and management of the key material, wherein the token comprises the key control information, the payload section, a hash method field, and a description of the wrapping method, the description of the wrapping method being distinct from the hash method field and being located in a selected section of the token, and wherein the selected section in the token is known by a party accessing the token, the description of the wrapping method corresponding to one of the plurality of supported wrapping methods, and wherein the key control information further comprises a label for the token that is recoverable from the token, the label comprising an unencrypted user-specified name of the token.

2. The method of claim 1 , wherein the information relating to usage of the key material comprises a field that limits actions that may be performed with the key material.

3. The method of claim 1 , wherein the information relating to management of the key material comprises a field that limits distribution of the key material.

4. The method of claim 1 , wherein the information relating to management of the key material comprises extensible fields that are configured to describe a history and life cycle of the key material and allow updates to the extensible field after receiving the token by the party accessing the token, and wherein a policy specifying when to retire the token and allowable methods for wrapping the token is configured to be created after receiving the token by the party accessing the token based on the extensible fields.

5. The method of claim 1 , wherein securely binding the key control information to the key material comprises binding the key control information to a payload that comprises the key material, a hash of the key control information and a padding.

6. The method of claim 1 , wherein the key control information comprises an extensible field for manufacturer data and an extensible field for user data.

7. The method of claim 1 , wherein the information relating to usage of the key material comprises extensible fields.

8. The method of claim 1 , wherein the description of the wrapping method describes how the key material in the payload section is bound to the key control information, and wherein the hash method field describes a hash algorithm that is applied to the key control information.